mathieub/plex-premium-mock-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added doc for patching plexamp and certificate

Browse Source
This commit is contained in:
Mathieu Broillet 2025-08-25 12:36:41 +02:00
parent a7492c152d
commit d2f1a7eafa
Signed by: mathieub
GPG Key ID: 4428608CDA3A98D3
2 changed files with 113 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ dist/
tmp/ tmp/
*.spec *.spec
.idea/ .idea/
certs/

115
README.md
View File

@ -20,9 +20,54 @@ Due to the nature of this hack, you'll have to :
- generate a new certificate authority (CA) for the proxy - generate a new certificate authority (CA) for the proxy
- trust or patch the CA on clients and/or apps that will connect to your Plex server - trust or patch the CA on clients and/or apps that will connect to your Plex server
### 1. Generate a new Certificate Authority (CA) ### 1. Generate a new Certificate Authority (CA) and proxy certificate
in writing... ```bash
# Generate a root CA
openssl genrsa -out plexhackCA.key 4096
# Create a self-signed root CA certificate
openssl req -x509 -new -nodes -key plexhackCA.key -sha256 -days 3650 -out plexhackCA.crt -subj "/C=US/ST=Unknown/L=Unknown/O=Unknown/CN=PlexHackCA"
# Generate private key for proxy
openssl genrsa -out plexhackproxy.key 2048
# Create a config file for the proxy certificate (SANs)
cat > plexhacksan.cnf <<EOL
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = US
ST = Unknown
L = Unknown
O = Unknown
CN = plex.tv
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = plex.tv
DNS.2 = clients.plex.tv
EOL
# Create a certificate signing request (CSR) using the SAN config
openssl req -new -key plexhackproxy.key -out plexhackproxy.csr -config plexhacksan.cnf
# Sign the CSR with your root CA to create the proxy certificate
openssl x509 -req -in plexhackproxy.csr -CA plexhackCA.crt -CAkey plexhackCA.key -CAcreateserial -out plexhackproxy.crt -days 825 -sha256 -extfile plexhacksan.cnf -extensions req_ext
```
Now you should have two files `plexhackproxy.crt` and `plexhackproxy.key` that you will use in your reverse proxy.
You should also have the `plexhackCA.crt` file that you will need to trust on your clients.
> [!IMPORTANT]
> You will need to trust the `plexhackCA.crt` certificate on every device that
> will connect to your Plex server (i.e. mobile, desktop, smart TV...).
> How to do this depends on the device and OS, you will need to search for instructions
> specific to your device.
### 2. Setup reverse proxy ### 2. Setup reverse proxy
@ -32,8 +77,8 @@ In my case I'm using Traefik, so here is an example configuration :
tls: tls:
certificates: certificates:
# use certificates generated in step 1 # use certificates generated in step 1
- certFile: /etc/traefik/ssl/custom/plexfakeclients.crt - certFile: /etc/traefik/ssl/custom/plexhackproxy.crt
keyFile: /etc/traefik/ssl/custom/plexfakeclients.key keyFile: /etc/traefik/ssl/custom/plexhackproxy.key
http: http:
routers: routers:
@ -129,3 +174,65 @@ Now if you try to go to `https://clients.plex.tv/api/hack` you should see a JSON
If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy. If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.
## Patch PlexAmp ## Patch PlexAmp
>[!IMPORTANT]
> You'll need to have the official PlexAmp app installed on your device for this to work.
You can use ADB to extract the APK from your device:
```bash
# Execute this from the root of the cloned repo
# Also make sure you have adb installed and your device connected
mkdir extracted_apks && cd extracted_apks
for apk in $(adb shell pm path tv.plex.labs.plexamp | sed 's/package://'); do
adb pull "$apk" .
done
```
>[!NOTE]
> You might be able to download the APK from some websites but it's safer to extract it from your own device.
You'll end up with something like this in the `extracted_apks` folder:
```
.
├── base.apk
├── split_config.arm64_v8a.apk
├── split_config.de.apk
├── split_config.fr.apk
├── split_config.it.apk
└── split_config.xxxhdpi.apk
```
Then you need to patch the `cacert.pem` file inside the `base.apk` to add the `plexhackCA.crt` certificate generated in step 1 and re-sign all the APKs.
_This might sound harder than it is, just follow these steps_:
```bash
# 1. Extract the existing cacert.pem from base.apk
unzip base.apk assets/cacert.pem -d tmp/
# 2. Append your custom CA cert
cat ../certs/plexhackCA.crt >> tmp/assets/cacert.pem
# 3. Replace the file inside base.apk (no compression)
zip -r -0 base.apk tmp/assets/cacert.pem
# 4. Remove existing signatures from ALL APKs (base + splits)
for f in base.apk split_config.*.apk; do
zip -d "$f" 'META-INF/*'
done
# 5. Generate a keystore if you dont already have one
mkdir -p ../keystores
# This will prompt you for some info, you can put whatever you want here and enter "yes" at the end
# WARNING: Take note of the password you enter here as you'll need it to sign the APKs
keytool -genkey -v -keystore ../keystores/plexamphack.keystore -alias plexamphack -keyalg RSA -keysize 2048 -validity 10000
# 6. Sign ALL APKs with the same key
for f in base.apk split_config.*.apk; do
apksigner sign --ks ../keystores/plexamphack.keystore "$f"
done
```
You can now install the modified APK on your Android device.
```bash
# Make sure to uninstall the official PlexAmp app first
adb install-multiple base.apk split_config.*.apk
```